tetragon: Add --execve-map-entries/--execve-map-size options

Adding --execve-map-entries and --execve-map-size options to setup entries of execve_map map. It's possible to setup execve_map entries directly with: --execve-map-entries 100 or just specify the size of the map with: --execve-map-size 100M Adding log line that shows on startup the execve_map entries setup: time="2025-02-11T10:57:06Z" level=info msg="Set execve_map entries 118082" size=99M Signed-off-by: Jiri Olsa <jolsa@kernel.org>
cilium · Feb 12, 2025 · 05717bf · 05717bf
1 parent 7a02ae2
commit 05717bf
Show file tree

Hide file tree

Showing 6 changed files with 69 additions and 2 deletions.
diff --git a/cmd/tetragon/main.go b/cmd/tetragon/main.go
@@ -224,6 +224,10 @@ func tetragonExecuteCtx(ctx context.Context, cancel context.CancelFunc, ready fu
 		log.Fatalf("Can't specify --rb-size and --rb-size-total together")
 	}
 
+	if option.Config.ExecveMapEntries != 0 && len(option.Config.ExecveMapSize) != 0 {
+		log.Fatalf("Can't specify --execve-map-entries and --execve-map-size together")
+	}
+
 	// enable extra programs/maps loading debug output
 	if logger.DefaultLogger.IsLevelEnabled(logrus.DebugLevel) {
 		program.KeepCollection = true

diff --git a/docs/data/tetragon_flags.yaml b/docs/data/tetragon_flags.yaml
diff --git a/pkg/option/config.go b/pkg/option/config.go
@@ -110,6 +110,9 @@ type config struct {
 	EventCacheRetryDelay int
 
 	CompatibilitySyscall64SizeType bool
+
+	ExecveMapEntries int
+	ExecveMapSize    string
 }
 
 var (

diff --git a/pkg/option/flags.go b/pkg/option/flags.go
@@ -118,6 +118,9 @@ const (
 	KeyEventCacheRetryDelay = "event-cache-retry-delay"
 
 	KeyCompatibilitySyscall64SizeType = "enable-compatibility-syscall64-size-type"
+
+	KeyExecveMapEntries = "execve-map-entries"
+	KeyExecveMapSize    = "execve-map-size"
 )
 
 type UsernameMetadaCode int
@@ -252,6 +255,8 @@ func ReadAndSetFlags() error {
 
 	Config.CompatibilitySyscall64SizeType = viper.GetBool(KeyCompatibilitySyscall64SizeType)
 
+	Config.ExecveMapEntries = viper.GetInt(KeyExecveMapEntries)
+	Config.ExecveMapSize = viper.GetString(KeyExecveMapSize)
 	return nil
 }
 
@@ -419,4 +424,7 @@ func AddFlags(flags *pflag.FlagSet) {
 	flags.Int(KeyEventCacheRetryDelay, defaults.DefaultEventCacheRetryDelay, "Delay in seconds between event cache retries")
 
 	flags.Bool(KeyCompatibilitySyscall64SizeType, false, "syscall64 type will produce output of type size (compatibility flag, will be removed in v1.4)")
+
+	flags.Int(KeyExecveMapEntries, 0, "Set entries for execve_map table (default 32768)")
+	flags.String(KeyExecveMapSize, "", "Set size for execve_map table (allows K/M/G suffix)")
 }
diff --git a/pkg/sensors/base/base.go b/pkg/sensors/base/base.go
@@ -7,14 +7,18 @@ import (
 	"log"
 	"sync"
 	"testing"
+	"unsafe"
 
 	"github.com/cilium/tetragon/pkg/errmetrics"
 	"github.com/cilium/tetragon/pkg/ksyms"
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/mbset"
+	"github.com/cilium/tetragon/pkg/option"
 	"github.com/cilium/tetragon/pkg/sensors"
 	"github.com/cilium/tetragon/pkg/sensors/exec/config"
+	"github.com/cilium/tetragon/pkg/sensors/exec/execvemap"
 	"github.com/cilium/tetragon/pkg/sensors/program"
+	"github.com/cilium/tetragon/pkg/strutils"
 )
 
 const (
@@ -77,6 +81,16 @@ var (
 	ErrMetricsMap = program.MapBuilder(errmetrics.MapName, Execve)
 )
 
+func parseExecveMapSize(str string) (int, error) {
+	// set entries based on size
+	size, err := strutils.ParseSize(str)
+	if err != nil {
+		return 0, err
+	}
+	val := size / int(unsafe.Sizeof(execvemap.ExecveValue{}))
+	return val, nil
+}
+
 func setupSensor() {
 	// exit program function
 	ks, err := ksyms.KernelSymbols()
@@ -97,7 +111,27 @@ func setupSensor() {
 	}
 	logger.GetLogger().Infof("Exit probe on %s", Exit.Attach)
 
-	ExecveMap.SetMaxEntries(execveMapMaxEntries)
+	// Setup execve_map max entries
+	if option.Config.ExecveMapEntries != 0 && len(option.Config.ExecveMapSize) != 0 {
+		log.Fatal("Both ExecveMapEntries and ExecveMapSize set, confused..")
+	}
+
+	var entries int
+
+	if option.Config.ExecveMapEntries != 0 {
+		entries = option.Config.ExecveMapEntries
+	} else if len(option.Config.ExecveMapSize) != 0 {
+		if entries, err = parseExecveMapSize(option.Config.ExecveMapSize); err != nil {
+			log.Fatal("Failed to parse ExecveMapSize value")
+		}
+	} else {
+		entries = execveMapMaxEntries
+	}
+	ExecveMap.SetMaxEntries(entries)
+
+	logger.GetLogger().
+		WithField("size", strutils.SizeWithSuffix(entries*int(unsafe.Sizeof(execvemap.ExecveValue{})))).
+		Infof("Set execve_map entries %d", entries)
 }
 
 func GetExecveMap() *program.Map {

diff --git a/pkg/sensors/exec/procevents/proc_reader.go b/pkg/sensors/exec/procevents/proc_reader.go
@@ -370,13 +370,26 @@ func writeExecveMap(procs []procs) {
 			panic(err)
 		}
 	}
+
+	entries, ok := base.ExecveMap.GetMaxEntries()
+	if !ok {
+		logger.GetLogger().Fatal("Failed to get number of execve_map entries, confused..")
+	}
+	logger.GetLogger().Infof("Maximum execve_map entries %d, need to add %d.", entries, len(procs))
+	i := uint32(0)
+
 	inInitTree := make(map[uint32]struct{})
 	for _, p := range procs {
 		k, v := procToKeyValue(p, inInitTree)
 		err := m.Put(k, v)
 		if err != nil {
 			logger.GetLogger().WithField("value", v).WithError(err).Warn("failed to put value in execve_map")
 		}
+
+		i++
+		if i == entries {
+			break
+		}
 	}
 	// In order for kprobe events from kernel ctx to not abort we need the
 	// execve lookup to map to a valid entry. So to simplify the kernel side
@@ -393,7 +406,7 @@ func writeExecveMap(procs []procs) {
 	})
 	m.Close()
 
-	updateExecveMapStats(int64(len(procs)))
+	updateExecveMapStats(int64(entries))
 }
 
 func pushEvents(ps []procs) {